Report: Apple, Android Apps Riddled With Coding Flaws

Pages

Poorly implemented encryption and a bevy of Web application vulnerabilities in Google Android and Apple iOS apps open them up to determined attackers, according to an analysis of mobile application security conducted by Veracode.

"Cryptographic issues significantly weaken data protection," Veracode said in its report. "Attackers with physical control of a mobile device for a small amount of time can jailbreak it and install a backdoor with keyloggers or other malware and/or copy the content."

Security experts have long warned about the poor coding found in mobile applications. The coding problems are the result for a number of cited reasons, from rushing out mobile apps too quickly to the idea that mobile application security is easier, opening up the practice to inexperienced coders who sometimes copy and paste code from other apps that contain vulnerabilities. Campbell, Calif.-based application security vendor Cenzic found similar mobile application flaws in a report issued last month.

The Veracode analysis found Android and Apple application vulnerability types to be slightly different. Veracode said the differences in the frequency of coding errors stem from the programming language used. Apple iOS apps are coded in Objective C, and Android apps are Java-based.

Apple iOS apps are more susceptible to error handling and credentials management than are Android applications, according to the Veracode analysis. Poorly implemented error handling when problems occur in the app at runtime can be a hole used by an attacker. Meanwhile credentials management can open an opportunity for an attacker to steal authentication tokens and access sensitive data.

Meanwhile SQL injection and code quality issues were found more frequently in Android applications, Veracode said. SQL injection, a common website vulnerability, can be used by an attacker passing malicious SQL statements in the field of an application in an attempt to gain access to sensitive data.

Veracode also reviewed Java ME apps created for the BlackBerry 10 platform, but the set of apps created for the platform at the time of its review, which examined apps between January 2011 and June 2012, was too small, opening up the results to variability. So far, the Java ME apps it tested appear to reflect similar vulnerabilities in apps designed for the platform, the firm said.